MGASA-2019-0302 - Updated java-1.8.0-openjdk packages fix security vulnerabilities

Publication date: 23 Oct 2019
URL: https://advisories.mageia.org/MGASA-2019-0302.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-2945,
     CVE-2019-2949,
     CVE-2019-2962,
     CVE-2019-2964,
     CVE-2019-2973,
     CVE-2019-2975,
     CVE-2019-2978,
     CVE-2019-2981,
     CVE-2019-2983,
     CVE-2019-2987,
     CVE-2019-2988,
     CVE-2019-2989,
     CVE-2019-2992,
     CVE-2019-2999

The updated packages fix several bugs and some security issues:

Missing restrictions on use of custom SocketImpl (Networking, 8218573).
(CVE-2019-2945)

Improper handling of Kerberos proxy credentials (Kerberos, 8220302).
(CVE-2019-2949)

NULL pointer dereference in DrawGlyphList (2D, 8222690). (CVE-2019-2962)

Unexpected exception thrown by Pattern processing crafted regular
expression (Concurrency, 8222684). (CVE-2019-2964)

Unexpected exception thrown by XPathParser processing crafted XPath
expression (JAXP, 8223505). (CVE-2019-2973)

Unexpected exception thrown during regular expression processing in
Nashorn (Scripting, 8223518). (CVE-2019-2975)

Incorrect handling of nested jar: URLs in Jar URL handler
(Networking, 8223892). (CVE-2019-2978)

Unexpected exception thrown by XPath processing crafted XPath expression
(JAXP, 8224532). (CVE-2019-2981)

Unexpected exception thrown during Font object deserialization
(Serialization, 8224915). (CVE-2019-2983)

Missing glyph bitmap image dimension check in FreetypeFontScaler
(2D, 8225286). (CVE-2019-2987)

Integer overflow in bounds check in SunGraphics2D (2D, 8225292).
(CVE-2019-2988)

Incorrect handling of HTTP proxy responses in HttpURLConnection
(Networking, 8225298). (CVE-2019-2989)

Excessive memory allocation in CMap when reading TrueType font
(2D, 8225597). (CVE-2019-2992)

Insufficient filtering of HTML event attributes in Javadoc
(Javadoc, 8226765). (CVE-2019-2999)

References:
- https://bugs.mageia.org/show_bug.cgi?id=25576
- https://access.redhat.com/errata/RHSA-2019:3128
- https://www.oracle.com/security-alerts/cpuoct2019.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2945
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2949
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2962
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2964
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2973
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2975
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2978
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2981
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2983
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2987
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2988
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2989
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2992
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2999

SRPMS:
- 7/core/java-1.8.0-openjdk-1.8.0.232-1.b09.2.mga7

Mageia 2019-0302: java-1.8.0-openjdk security update

The updated packages fix several bugs and some security issues: Missing restrictions on use of custom SocketImpl (Networking, 8218573)

Summary

The updated packages fix several bugs and some security issues:
Missing restrictions on use of custom SocketImpl (Networking, 8218573). (CVE-2019-2945)
Improper handling of Kerberos proxy credentials (Kerberos, 8220302). (CVE-2019-2949)
NULL pointer dereference in DrawGlyphList (2D, 8222690). (CVE-2019-2962)
Unexpected exception thrown by Pattern processing crafted regular expression (Concurrency, 8222684). (CVE-2019-2964)
Unexpected exception thrown by XPathParser processing crafted XPath expression (JAXP, 8223505). (CVE-2019-2973)
Unexpected exception thrown during regular expression processing in Nashorn (Scripting, 8223518). (CVE-2019-2975)
Incorrect handling of nested jar: URLs in Jar URL handler (Networking, 8223892). (CVE-2019-2978)
Unexpected exception thrown by XPath processing crafted XPath expression (JAXP, 8224532). (CVE-2019-2981)
Unexpected exception thrown during Font object deserialization (Serialization, 8224915). (CVE-2019-2983)
Missing glyph bitmap image dimension...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=25576

- https://access.redhat.com/errata/RHSA-2019:3128

- https://www.oracle.com/security-alerts/cpuoct2019.html

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2945

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2949

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2962

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2964

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2973

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2975

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2978

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2981

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2983

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2987

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2988

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2989

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2992

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2999

Resolution

MGASA-2019-0302 - Updated java-1.8.0-openjdk packages fix security vulnerabilities

SRPMS

- 7/core/java-1.8.0-openjdk-1.8.0.232-1.b09.2.mga7

Severity
Publication date: 23 Oct 2019
URL: https://advisories.mageia.org/MGASA-2019-0302.html
Type: security
CVE: CVE-2019-2945, CVE-2019-2949, CVE-2019-2962, CVE-2019-2964, CVE-2019-2973, CVE-2019-2975, CVE-2019-2978, CVE-2019-2981, CVE-2019-2983, CVE-2019-2987, CVE-2019-2988, CVE-2019-2989, CVE-2019-2992, CVE-2019-2999

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved